Pandora sends user GPS, sex, birthdate, other data to ad servers

Pandora's Android app transmits a plethora of personal information to third parties after all, at least according to an analysis done by security firm Veracode. The company decided to do a follow-up on the news that Pandora—among other mobile app makers—was being investigated by a federal grand jury, and found that data about the user's birth date, gender, Android ID, and GPS information were all being sent to various advertising companies.

Earlier this week, Pandora revealed that it had been subpoenaed by a federal grand jury to produce documents about its user data collection practices on Android and iOS devices. The company said that it believes the subpoena is part of an industry-wide investigation into popular applications on both platforms. The Wall Street Journal quickly followed up on the news by reporting that the purpose of the investigation is to find out whether app makers fully describe to users the kinds of information they obtain and why they need it. One other iOS developer, Anthony Campiti, said that he also got a subpoena over his app, "Pumpkin Maker."

Veracode decided to dig into Pandora's Android app to see exactly what kinds of data might be transmitted (there was no reason given as to why they left iOS out, but it sounds like the team did it out of curiosity and Android is what they had on hand). According to Veracode's analysis, Pandora's app seems to be integrated with five separate ad libraries: AdMarvel, AdMob, comScore (SecureStudies), Google.Ads, and Medialets.

The team verified that the AdMob library accesses the user's GPS information and various data about the application itself, such as package name and version info. That's relatively benign, but Veracode says there are other references that appear to transmit a user's birthday, gender, and postal code. Additionally, the app appears to send the user's Android ID, and seems to continually access the user's GPS location for updates.

"The analysis into the remaining libraries resulted in even more of the same," Veracode wrote on its blog. "The SecureStudies library accesses the android_id and directly sends a hash of the data to http://b.scorecardresearch.com while the Medialets library accesses the device’s GPS location, bearing, altitude, android_id, connection status, network information, device brand, model, release revision, and current IP address."

Pandora has argued that it needs the user information so that it can continue delivering personalized music streams. Veracode's analysis, however, shows that Pandora isn't just collecting that information for itself, but is also using it for advertising purposes. If the grand jury ends up coming to the same conclusion, Pandora (and other app makers) could be facing legal difficulties.

"[Y]our personal information is being transmitted to advertising agencies in mass quantities," wrote Veracode. "In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight into a person's life... When all that is placed into a single basket, it’s pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them. I don’t know about you, but that feels a little Orwellian to me."

Pandora did not respond to our request for comment by publication time. (Edit: Pandora has now responded, but declines to comment.)